Webcam-snooping spawn of ZeuS hits 150 banks worldwide

Chthonic exploits Word bug to hijack browsers, steal passwords

The latest evolution of the online bank account raiding Trojan ZeuS is the webcam-spying Chthonic malware, according to researchers.

Chthonic infects Windows PCs, and allows criminals to connect to the compromised PC remotely and command it to carry out fraudulent transactions.

The software nasty is targeting customers of more than 150 banks and 20 payment systems in 15 countries. Financial institutions in the UK, Spain, the US, Russia, Japan and Italy are among the most heavily targeted banks.

Security researchers at Kaspersky Lab save the theftware is an evolution of ZeuS.

Chthonic’s main weapon is web injectors: it inserts its own malicious JavaScript code and images into an online bank's pages when fetched by the web browser on an owned Windows PC. These modifications intercept the victim’s phone number, one-time passwords and PINs, and any other sensitive information typed in by the user, and sends it off to fraudsters.

In the case of one of the Japanese banks targeted, Chthonic was able to hide the bank’s warnings about malware, and instead inject a script that allows attackers to carry out various transactions using the victim’s account.

Elsewhere, affected customers of Russian banks are greeted by a completely fraudulent banking site as soon as they enter their login details. The trojan creates an iFrame with a counterfeit copy of the website that has the same size as the original window.

Fortunately, many code fragments used by Chthonic to perform web injections can no longer be used, because banks have changed the structure of their pages and in some cases, the domains as well.

Victims are infected through web links or by email attachments carrying a booby-trapped document that exploits a bug in Microsoft's Word software to execute malicious code.

“The attachment contains a specially crafted RTF document, designed to exploit the CVE-2014-1761 vulnerability in Microsoft Office products,” Kaspersky Lab explains. Once downloaded and running, the malicious code, which contains an encrypted configuration file, injects itself into a msiexec process, and a number of malicious modules are unpacked and installed on the machines.

Analysis is ongoing, but so far Kaspersky Lab researchers have discovered modules that can collect system information, steal saved passwords, log keystrokes, enable remote access, and record video and sound through any installed web camera and microphone.

“The discovery of Chthonic confirms that the ZeuS Trojan is still actively evolving,” said Yury Namestnikov, senior malware analyst at Kaspersky Lab and one of the researchers who investigated the threat. “Malware writers are making full use of the latest techniques, helped considerably by the leak of the ZeuS source code.”

“Chthonic is the next phase in the evolution of ZeuS. It uses Zeus AES encryption, a virtual machine similar to that used by ZeusVM and KINS, and the Andromeda downloader – to target ever more financial institutions and innocent customers in ever more sophisticated ways,’ he added.

Namestnikov warned that more new variants of ZeuS are likely. More technical details on Chthonic can be found in a post on Kaspersky’s official Securelist blog here. ®

Biting the hand that feeds IT © 1998–2021